1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
<!DOCTYPE HTML>
<html>
<head>
<title>Media element src attribute must match src list - 'none' negative test</title>
<meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'none'; connect-src 'self';">
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
<script src='/common/get-host-info.sub.js'></script>
</head>
<body>
<h1>Media element src attribute must match src list - 'none' negative test</h1>
<div id='log'></div>
<script>
const otherOrigin = get_host_info().OTHER_ORIGIN;
const audioUrl = otherOrigin + "/media/sound_5.oga";
const videoUrl = otherOrigin + "/media/A4.webm";
// Asynchronously returns the next `securitypolicyviolation` event.
async function nextViolation() {
return await new Promise((resolve) => {
window.addEventListener("securitypolicyviolation", resolve, {
once: true,
});
});
}
promise_test(t => new Promise((resolve, reject) => {
const violationPromise = nextViolation();
const video = document.createElement("video");
video.type = "video/webm";
video.src = videoUrl;
video.onloadeddata = reject;
video.onerror = () => { resolve(violationPromise); };
document.body.appendChild(video);
}).then((violation) => {
assert_equals(violation.violatedDirective, "media-src", "directive");
assert_equals(violation.blockedURI, videoUrl, "blocked URI");
}), "Disallowed async video src");
promise_test(t => new Promise((resolve, reject) => {
const violationPromise = nextViolation();
const video = document.createElement("video");
video.oncanplay = reject;
video.onloadedmetadata = reject;
video.onloadeddata = reject;
const source = document.createElement("source");
source.type = "video/webm";
source.src = videoUrl;
source.onerror = () => { resolve(violationPromise); };
video.appendChild(source);
document.body.appendChild(video);
}).then((violation) => {
assert_equals(violation.violatedDirective, "media-src", "directive");
assert_equals(violation.blockedURI, videoUrl, "blocked URI");
}), "Disallowed async video source element");
promise_test(t => new Promise((resolve, reject) => {
const violationPromise = nextViolation();
const audio = document.createElement("audio");
audio.type = "audio/webm";
audio.src = audioUrl;
audio.oncanplay = reject;
audio.onloadedmetadata = reject;
audio.onloadeddata = reject;
audio.onerror = () => { resolve(violationPromise); };
document.body.appendChild(audio);
}).then((violation) => {
assert_equals(violation.violatedDirective, "media-src", "directive");
assert_equals(violation.blockedURI, audioUrl, "blocked URI");
}), "Disallowed audio src");
promise_test(t => new Promise((resolve, reject) => {
const violationPromise = nextViolation();
const audio = document.createElement("audio");
audio.oncanplay = reject;
audio.onloadedmetadata = reject;
audio.onloadeddata = reject;
const source = document.createElement("source");
source.type = "audio/webm";
source.src = audioUrl;
source.onerror = () => { resolve(violationPromise); };
audio.appendChild(source);
document.body.appendChild(audio);
}).then((violation) => {
assert_equals(violation.violatedDirective, "media-src", "directive");
assert_equals(violation.blockedURI, audioUrl, "blocked URI");
}), "Disallowed audio source element");
</script>
</body>
</html>
|
